Power

 View Only
  • 1.  Is it possible to uninstall the Expansion Pack version of BIND on AIX 7.2?

    Posted Wed June 12, 2024 06:05 PM

    I believe I may have incorrectly applied (because it turns out not to have been needed) the bind_fix26 efix to my AIX 7.2.5.7 DNS servers (i.e. I don't remember ever downloading/installing the Expansion Pack version of BIND), and now I receive a "Got SERVFAIL reply" message when I try to do an nslookup by name (though reverse lookup by address still works).  I suspect that this message may be due to my not previously having implemented DNSSEC ... but a search on how to do that tells me: "Implementing DNSSEC involves checking registrar support, generating cryptographic keys (KSK, ZSK), updating DNS records with Delegation Signer (DS) records, configuring DNSSEC settings in the registrar's dashboard, verifying setup using validation tools, monitoring key expiration, and communicating with the registrar..."  So, I'm guessing it may be faster to revert back to the bos.net.tcp.bind and bos.net.tcp.bind_utils that are part of the base AIX 7.2 install.

    Unfortunately, when I tried to uninstall bind.rte I was unable to do so, due to all of the non-deinstallable dependents and other prereqs that are dragged along.  I then tried to force a reinstall of bos.net.tcp.bind from media, but was unable to do so as I was told it is "Already superseded by 7.2.916.4800".  Is there a way I can undo my installation of bind.rte and get back to where I was before (e.g. maybe a "surgical" odmdelete so that I can reinstall the base bos.net.tcp.bind and bos.net.tcp.bind_utils filesets)?



    ------------------------------
    Erich Wolz
    ------------------------------


  • 2.  RE: Is it possible to uninstall the Expansion Pack version of BIND on AIX 7.2?

    Posted Thu June 13, 2024 10:17 AM

    (On the flip side, if there's a relatively easy config change that can be applied to my DNS servers such that the new BIND will work without my having to immediately  figure out how to implement DNSSEC, that will work as well -- and will probably be better in the long run.)



    ------------------------------
    Erich Wolz
    ------------------------------



  • 3.  RE: Is it possible to uninstall the Expansion Pack version of BIND on AIX 7.2?

    Posted 26 days ago

    I get to answer my own question :-) 

    I found https://kb.isc.org/docs/using-private-name-space which purports to do the following:

    This section exists to provide interim advice for those whose configurations are currently imperfect, and who need to implement short-term workarounds until they're able to do things properly...

    So, I made the below additions to my /etc/named.conf, stopped/restarted named, and am again able to resolve names to addresses in my clearlake.ibm.com domain:

    dnssec-policy none;
    dnssec-validation no;
    validate-except {
    "clearlake.ibm.com";
    };



    ------------------------------
    Erich Wolz
    ------------------------------